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Hi TO ALL WHOM IT MAY CONCERN: 



BE IT KNOWN THAT WE, Eiichi Horita, a citizen 
of Japan residing at Mitaka-shi , Tokyo-to, Japan and 
Satoshi Ono, a citizen of Japan residing at 

Shibuya-ku, Tokyo-to, Japan have invented certain new and 
useful improvements in 



DISTRIBUTED DIGITAL SIGNATURE GENERATION METHOD AND DIGITALLY 
SIGNED DIGITAL DOCUMENT GENERATION METHOD AND APPARATUS 



Of which the following is a specification:- 
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TITLE OF THE INVENTION 

DISTRIBUTED DIGITAL SIGNATURE GENERATION 
METHOD AND DIGITALLY SIGNED DIGITAL DOCUMENT 
GENERATION METHOD AND APPARATUS 

5 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to a method 
and an apparatus for generating an integrated 
10 digital signature from distributed digital 

signatures, and a method and an apparatus for 
a ; V generating a digital document with a digital 

3 signature which are used in a service for generating 

,\ a digital signature for a digital document in which 

3 15 it is assured that the digital signature is not 

P forged one, that is, it is assured that the digital 

signature is not one generated by other means. 
■, More particularly, the present invention 

relates to a method and an apparatus for generating 
."J 20 an integrated digital signature from distributed 

ll| digital signatures, and a method and an apparatus 

for generating a digital document with a digital 
signature in which a proper integrated digital 
signature can be generated from partial digital 
25 signatures even when a predetermined number of 

partial digital signature generation systems operate 
incorrectly . 

In addition, the present invention relates 
to a method and an apparatus for generating an 
30 integrated digital signature from distributed 

digital signatures, and a method and an apparatus 
for generating a digital document with a digital 
signature for preventing the risk of theft of secret 
key in centralized digital signature systems. 
35 In addition, the present invention relates 

to a method and an apparatus for generating an 
integrated digital signature from distributed 



digital signatures, and a method and an apparatus 
for generating a digital document with a digital 
signature for preventing weak points in robustness 
against security attacks and fault tolerance of a 
conventional distributed signature generation system 
in which every distributed partial digital signature 
systems should operate correctly for generating an 
integrated digital signature. 

2. Description of the Related Art 
Most of conventional distributed digital 
signature generation systems based on public-key 
cryptosystem use a trusted third party when 
generating a signature key used for the partial 
digital signature. In this case, there is a 
possibility that information on the signature key 
leaks from the third party. That is, the 
conventional distributed digital signature 
generation system has a weak point in that safety of 
the system is impaired if a secret is leaked from 
one point in the system. In other words, the system 
has a weak point in that there is a single point of 
compromise . 

In a distributed digital signature 
generation system in which a digital signature can 
be generated from partial digital signatures only 
when every distributed signature system generates 
correct partial digital signature, there is a weak 
point for robustness against security attacks and 
fault tolerance in that the digital signature can 
not be generated if at least one distributed 
signature system in the plurality of distributed 
signature systems operates incorrectly. 

A conventional distributed digital 
signature generation system which tries to overcome 
the weak point of the secret leaking and the weak 
point of robustness against security attacks and 
fault tolerance is disclosed in T . Wu et al . : 
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"Building intrusion tolerant applications", in 
Proceedings of 8th UNENIX Security Symposium, USENIX, 
1999 (which will be referred to as a first 
conventional method) . In this system, partial 
5 signature keys are generated by each of partial 
digital signature generation systems which are 
distributed by performing distributed processing 
without using the third party, and partial 
information on the partial signature key is 
10 exchanged each other. Then, the distributed digital 
signature generation can be performed if a 
predetermined number, which is called a threshold, 
.*t of the Partial digital signature generation systems 

Q in the whole partial digital signature generation 

53 15 systems operate properly. 

[Sj In addition, a method for preventing key 

M information from increasing is proposed in 

%i t S.Miyazaki, K.Sakurai, M.Yung "On threshold RSA- 

signing with no dealer" in Proceedings of ICISC'99, 
flj 20 pp. 197-207 , Springer, 1999 (which will be referred 

jj^ to as a second conventional method) . 

q In addition, a method for generating an 

111 integrated digital signature by combining the 

threshold number of the partial digital signatures 
25 by using the trusted third party, and for solving 
the problem that key information increases is 
disclosed in V.Shoup "Practical threshold 
signatures", in Proceedings of Eurocrypto 2000" 
(which will be referred to as a third conventional 
30 method) . 

In addition, in Japanese patent 
application No. 8-351565 "key management system 
having hierarchy, encryption system and distributed 
digital signature system" (which will be referred to 
35 as a fourth conventional method) , a distributed 
digital signature system using threshold 
distribution of secret keys having hierarchical 



structure is proposed. The method of threshold 
distribution of secret keys is based on A. Shamir 
"How to share a secret" Communications of ACM, 
Vol.22, pp. 612-613, 1979 in which original secret 
key is calculated once by using a polynomial 
interpolation equation for generating the digital 
signature by distributed processing. 

In addition, as a service of providing a 
timestamp to a digital document by using distributed 
processing systems based on public-key cryptosystem, 
there is Japanese patent application No. 11-247994 
"Distributed type timestamp certification apparatus 
and method and recording medium recording 
distributed timestamp certification program" (which 
will be called a fifth conventional method) . The 
function realized in the system proposed in this 
document can be realized by using time as additional 
information which is added to an input digital 
document. This distributed type time certification 
apparatus has a feature that every distributed 
timestamping authority in a plurality of distributed 
timestamping authorities must generate correct 
partial timestamp in order to obtain an integrated 
timestamp, and a feature that correct timestamped 
certificate can not be issued if a part of the 
distributed timestamping authorities are incorrect. 
Thus, it provides means for preventing forgery of 
timestamped certificate by a part of distributed 
timestamping authorities. 

However, according to the above-mentioned 
first conventional method, it is necessary that each 
partial digital signature generation system prepares 
a different partial signature key according to which 
group generates the integrated digital signature 
among groups each including the threshold number of 
the partial digital signature generation systems. 
Therefore, there is a problem in that key 



information increases. 

In addition, when a group tries to generate 
a digital signature, but, fails to generate it since 
a part of the partial digital signature systems in 
the group do not function correctly, it is necessary 
to generate the signature by another group. Thus, 
there is another problem in that time complexity of 
generating partial digital signatures by the partial 
digital signature generation systems and 
communication between an integrated digital 
signature generation system and the partial digital 
signature generation systems increase. 

As for the second conventional method, it 
is possible to solve one problem that the key 
information increases in the two problems of the 
first conventional methods. However, the second 
problem that time complexity of generating partial 
digital signatures by the partial digital signature 
generation systems and communication between an 
integrated digital signature generation system and 
the partial digital signature generation systems 
increase when a group fails to generate the 
signature remains unsolved. In addition, time 
complexity of generating digital signature from the 
partial digital signatures increases as the number 
of the partial digital signature generation systems 
increases so that there is a problem in that amount 
of the whole process of generating the signature 
increases. In addition, time complexity for 
verifying validity of the partial digital signatures 
is large. Thus, there is a problem in that time 
complexity for assuring that only correct partial 
signature keys are combined for generating an 
integrated digital signature is large. 

The third conventional method is a method 
for generating the integrated digital signature by 
combining the threshold number of partial digital 



signatures and which can solve the problem that key 
information increases. However, also according to 
this method, time complexity of generating digital 
signature from the partial digital signatures 
increases as the number of the partial digital 
signature generation systems increases so that there 
is a problem in that the amount of the whole process 
of generating the signature increases. In addition, 
there is a problem in that time complexity for 
assuring that only correct partial signature keys 
are combined for generating an integrated digital 
signature is large. 

As for the fourth conventional method, 
since original secret key is calculated once by a 
polynomial interpolation equation, the system which 
performs this calculation can know information of a 
secret key. Thus, there is a weak point in that a 
single point of compromise exists. In addition, 
this document does not disclose a method in which, 
when a predetermined number of holding systems of 
secret partial information try to generate a digital 
signature, and when a part of the partial 
information holding systems operate incorrectly, it 
is identified which partial information holding 
system operates incorrectly, and a digital signature 
is generated efficiently by using only correct 
systems by removing the incorrect systems . 

As for the distributed type timestamp 
certification apparatus in the method of the fifth 
conventional method, there is a weak point in 
robustness against security attacks and fault 
tolerance since timestamped certificate can not be 
generated if at least one distributed timestamping 
authority functions incorrectly. 



SUMMARY OF THE INVENTION 

A first object of the present invention is 



to provide a distributed digital signature 
generation method and apparatus, a digitally signed 
digital document generation method and apparatus, a 
distributed digital signature generation program and 
a recording medium storing a distributed digital 
signature generation program for solving the above- 
mentioned problem of the single point of compromise, 
and the weak point of robustness against security 
attacks and fault tolerance that the digital 
signature can not be generated even when only one 
partial digital signature system operates 
incorrectly . 

A second object of the present invention 
is to provide a distributed digital signature 
generation method and apparatus, a digitally signed 
digital document generation method and apparatus, a 
distributed digital signature generation program and 
a recording medium storing a distributed digital 
signature generation program for solving the above- 
mentioned problem that the time complexity of 
generating partial digital signatures by the partial 
digital signature generation systems and 
communication between an integrated digital 
signature generation system and the partial digital 
signature generation systems increase when a group 
including the threshold number of the partial 
digital signature systems tries to generate a 
digital signature, but, fails to generate it. 

A third object of the present invention is 
to provide a distributed digital signature 
generation method and apparatus, a digitally signed 
digital document generation method and apparatus, a 
distributed digital signature generation program and 
a recording medium storing a distributed digital 
signature generation program for solving the problem 
that the time complexity for generating the digital 
signature from the partial digital signatures is 



large . 

A fourth object of the present invention 
is to provide a distributed digital signature 
generation method and apparatus, a digitally signed 
digital document generation method and apparatus, a 
distributed digital signature generation program and 
a recording medium storing a distributed digital 
signature generation program for solving the problem 
that time complexity for assuring that only correct 
partial signature keys are used for generating an 
integrated digital signature is large. 

The above object can be achieved by a 
distributed digital signature generation method for 
generating a digital signature for a digital 
document by using a plurality of partial digital 
signature generation parts, the distributed digital 
signature generation method including the steps of: 

each of the partial digital signature 
generation parts generating a partial signature key 
by communicating with each other without using a 
trusted third party; 

each of the partial digital signature 
generation parts generating a partial digital 
signature by using the partial signature key for a 
hash value of an input digital document ; 

each of the partial digital signature 
generation parts outputting the partial digital 
signature or a pair of the digital document and the 
partial digital signature; 

combining a predetermined number of 
partial digital signatures generated by the partial 
digital signature parts wherein the predetermined 
number is a threshold; 

performing a transformation process on 
each of the predetermined number of partial digital 
signatures according to combination of the 
predetermined number of partial digital signatures; 



and 

generating an integrated digital signature 
from a result of the transformation process. 

In the distributed digital signature 
generation method, a least common multiple of 
predetermined values may be used as a transformation 
number in the transformation process. 

That is, as will be described in the 
embodiments of the present invention, since a least 
common multiple of 6 ( I , r ( 1 ) ) , ■•• , 8 ( I , r (K) ) is used 
instead of ((r-1)!) 2 as the transformation number A 
(I) in A (I) - A (I , i) , the time complexity of 
generating the integrated digital signature from the 
partial digital signatures can be decreased. Here, 
<5(I,r(l)),---,<5 (I , r (K) ) are positive numbers as 
determined shown in Fig. 5. 

The distributed digital signature 
generation method may further include the step of: 

judging whether an incorrect partial 
digital signature generated by an incorrect partial 
signature key exists, and identifying the incorrect 
partial digital signature by combining the 
predetermined number of the partial digital 
signatures and performing a signature verification 
process . 

By combining the threshold number of 
partial digital signatures, using a set of 1(0), 
I(m-l) each including k partial digital signatures 
as shown in Fig. 6, the time complexity of 
verification can be decreased. 

The above object is also achieved by a 
distributed digital signature generation method for 
generating a digital signature for a digital 
document by using a plurality of partial digital 
signature generation parts, the method comprising 
the steps of: 

each of the partial digital signature 
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generation parts adding one or more items of 
additional information to an input digital document 
to generate a digital document with additional 
information ; 

5 each of the partial digital signature 

generation parts generating a partial signature key 
by communicating with each other without using a 
trusted third party; 

each of the partial digital signature 
10 generation parts generating a partial digital 

signature by using the partial signature key for a 
1=4 hash value of the digital document with additional 

3 information; 

; 5J each of the partial digital signature 

;3 15 generation parts outputting a pair of the digital 

CP document with additional information and the partial 

digital signature; 
a combining a predetermined number of the 

!*i pairs of the digital document with additional 

y 20 information and the partial digital signature 

it! wherein the predetermined number is a threshold; 

performing a transformation process on 
each of the predetermined number of partial digital 
signatures according to combination of the 
25 predetermined number of pairs; and 

generating an integrated digital signature 
from a result of the transformation process. 

In addition, the above object is also 
achieved by a distributed digital signature 
30 generation apparatus for generating a digital 
signature for a digital document by using a 
plurality of partial digital signature generation 
parts, wherein: 

each of the partial digital signature 
35 generation parts generates a partial signature key 
by communicating with each other without using a 
trusted third party; 



each of the partial digital signature 
generation parts generates a partial digital 
signature by using the partial signature key for a 
hash value of an input digital document; 

each of the partial digital signature 
generation parts outputs the partial digital 
signature or a pair of the digital document and the 
partial digital signature; 

the distributed digital signature 
generation apparatus comprising: 

a part for combining a predetermined 
number of partial digital signatures generated by 
the partial digital signature parts wherein the 
predetermined number is a threshold; 

a part for performing a transformation 
process on each of the predetermined number of 
partial digital signatures according to combination 
of the predetermined number of partial digital 
signatures; and 

a part for generating an integrated 
digital signature from a result of the 
transformation process. 

In addition, the above object is also 
achieved by a distributed digital signature 
generation apparatus for generating a digital 
signature for a digital document by using a 
plurality of partial digital signature generation 
parts, wherein: 

each of the partial digital signature 
generation parts adds one or more items of 
additional information to an input digital document 
to generate a digital document with additional 
information ; 

each of the partial digital signature 
generation parts generates a partial signature key 
by communicating with each other without using a 
trusted third party; 
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each of the partial digital signature 
generation parts generates a partial digital 
signature by using a partial signature key for a 
hash value of the digital document with additional 
5 information; 

each of the partial digital signature 
generation parts outputs a pair of the digital 
document with additional information and the partial 
digital signature; 
10 the distributed digital signature 

generation apparatus comprising: 

a part for combining a predetermined 
□ number of the pairs of the digital document with 

additional information and the partial digital 
Q 15 signature wherein the predetermined number is a 

ill threshold; 

■JJ a part for performing a transformation 

„ process on each of the predetermined number of 

partial digital signatures according to combination 
jj? 20 of the predetermined number of pairs; and 

111 a part for generating an integrated 

digital signature from a result of the 
transformation process. 

In addition, the above object is also 
25 achieved by a digitally signed digital document 

generation method for generating a digital document 
with a digital signature generated by using a 
plurality of partial digital signature generation 
parts, the digitally signed digital document 
30 generation method comprising the steps of: 

each of the partial digital signature 
generation parts generating a partial signature key 
by communicating with each other without using a 
trusted third party; 
35 each of the partial digital signature 

generation parts generating a partial digital 
signature by using the partial signature key for a 



hash value of an input digital document; 

each of the partial digital signature 
generation parts outputting the partial digital 
signature or a pair of the digital document and the 
partial digital signature ; 

combining a predetermined number of 
partial digital signatures generated by the partial 
digital signature parts wherein the predetermined 
number is a threshold; 

performing a transformation process on 
each of the predetermined number of partial digital 
signatures according to combination of the 
predetermined number of partial digital signatures; 

generating an integrated digital signature 
from a result of the transformation process; and 

generating a digital document with digital 
signature which includes the digital document and 
the integrated digital signature. 

In addition, the above object is also 
achieved by a program for causing a computer to 
generate a digital signature for a digital document 
by using a plurality of partial digital signature 
generation parts, wherein: 

each of the partial digital signature 
generation parts generates a partial signature key 
by communicating with each other without using a 
trusted third party; 

each of the partial digital signature 
generation parts generates a partial digital 
signature by using the partial signature key for a 
hash value of an input digital document; 

each of the partial digital signature 
generation parts outputs the partial digital 
signature or a pair of the digital document and the 
partial digital signature; 

the program comprising: 

program code means for combining a 
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predetermined number of partial digital signatures 
generated by the partial digital signature parts 
wherein the predetermined number is a threshold; 

program code means for performing a 
5 transformation process on each of the predetermined 
number of partial digital signatures according to 
combination of the predetermined number of partial 
digital signatures; and 

program code means for generating an 
10 integrated digital signature from a result of the 
transformation process. 

In addition, the above object is also 
achieved by a computer readable medium storing the 
program . 

15 

BRIEF nF-S CRIPTION OF THF. DRAWINGS 

Other objects, features and advantages of 
the present invention will become more apparent from 
the following detailed description when read in 
20 conjunction with the accompanying drawings, in 
which : 

Fig.l is a figure for explaining the 
principle of the present invention; 

Fig. 2 shows a block diagram of a 
25 distributed digital signature generating apparatus 
(first example) by using a threshold number of 
partial signatures; 

Fig. 3 shows a block diagram of a 
distributed digital signature generation apparatus 
30 (second example) by using a threshold number of 
partial signatures; 

Fig. 4 shows a block diagram of a 
distributed digital signature generation apparatus 
(third example) by using a threshold number of 
35 partial signatures; 

Fig. 5 shows a flowchart showing the 
calculation procedure of the transformation number 
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for the partial digital signatures which minimizes 
time complexity according to an example of the 
present invention; 

Fig. 6 is a figure for explaining a method 
5 of detecting an incorrect partial digital signature 
by using combinations of the partial digital 
signatures according to an example of the present 
invention ; 

Fig. 7 shows a flowchart showing a 
10 procedure of judgment of existence of an incorrect 
partial digital signature by using combinations of 
the partial digital signatures according to an 
example of the present invention; 

Fig. 8 is a flowchart of a procedure for 
15 judging whether the number of the incorrect partial 
digital signature is only one and determining the 
incorrect partial digital signature ; 

Fig. 9 is a block diagram showing a 
digitally signed digital document generation 
20 apparatus using the combination of the threshold 
number of partial signatures (first example) 
according to an example of the present invention; 

Fig. 10 is a block diagram showing a 
digitally signed digital document generation 
25 apparatus using the combination of the threshold 
number of partial signatures (second example) 
according to an example of the present invention; 

Fig. 11 is a block diagram showing a 
digitally signed digital document generation 
30 apparatus using the combination of the threshold 
number of partial signatures (third example) 
according to an example of the present invention 

Fig. 12 is a table showing decreasing 
effect of time complexity by optimization when the 
35 integrated digital signature is generated from the 
partial digital signatures; and 

Figs. 13 and 14 are tables showing 



decreasing effect of time complexity for 
verification of partial signatures. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Fig.l shows the principle of the present 
invention. According to the distributed digital 
signature generation method of the present invention, 
each of partial digital signature generation parts 
generates a partial signature key by communicating 
with each other without using a trusted third party 
in step 1. Then, each of the partial digital 
signature generation parts generates a partial 
digital signature by using the partial signature key 
for the hash value of an input digital document in 
step 2. In step 3, each of the partial digital 
signature generation parts outputs the partial 
digital signature or a pair of the digital document 
and the partial digital signature. After that, a 
predetermined number of partial digital signatures 
generated by the partial digital signature parts are 
combined, with the predetermined number being the 
threshold, a transformation process is performed on 
each of the predetermined number of partial digital 
signatures according to the predetermined number of 
partial digital signatures which are combined; and 
an integrated digital signature is generated from 
the result of the transformation process in step 4. 

In the present invention, three threshold 
distributed digital signature generation apparatuses 
shown in Figs. 2-4 are proposed. 

Fig. 2 shows a block diagram of the 
threshold distributed digital signature generation 
apparatus (first example) . 

As shown in the figure, the distributed 
digital signature generation apparatus 1 includes a 
certain number of partial digital signature 
generation parts 13 and an integrated digital 



signature generation part 14. 

The partial digital signature generation 
parts 13 generate partial digital signatures S : (M) , 
•••,S r (M) for an input digital document M 
5 independently with each other. 

The integrated digital signature 
generation part 14 receives m partial digital 
signatures S r(1) (M) , — , S r(n) (M) , (k^m^r and l^r(l), 
■•• , r (m) ^=r) which are generated by the plurality of 
10 partial digital signature generation parts 13 

independently and the digital document M. Then, the 
integrated digital signature generation part 14 
'~ generates one or more of integrated digital 

Q signatures S(M,I 1 ) ,"",S(M,I S ) from the output partial 

15 digital signatures for s sets I 1 ,---,I S each 

consisting of identification numbers of k partial 
:|S digital signature generation parts 13, where s is 

egual to or larger than 1 and k is the predetermined 
q threshold number. 

rU 20 Fig. 3 shows a block diagram of the 

jif threshold distributed digital signature generation 

ifl apparatus (second example) of the present invention. 

HI The configuration of the digital signature 

generation apparatus 1 shown in Fig. 3 is the same as 
25 that shown in Fig. 2. The partial digital signature 
generation parts 13 generate pairs of the digital 
document and the partial digital signature 
(M, S x (M) >,-•-, (M, S c (M) ) for the input digital document 
M independently with each other. 
30 The integrated digital signature 

generation part 14 receives m pairs (M , S r(1 , (M) ) , 
■•- , (M, S r(m) (M) ) of the digital document M and the 
partial digital signatures which are generated by 
the partial digital signature generation parts 13 
35 independently (M,S r(1) (M) ) ,*•*, (M,S r(m) (M) ) , (k^mSr and 
1 ^ r(l),---, r(m)^r). Then, the integrated digital 
signature generation part 14 generates one or more 



of integrated digital signatures S <M , I, ),••-, S (M , I s ) 
from the output partial digital signatures for s 
sets I L ,--,I S each consisting of identification 
numbers of k partial digital signature generation 
parts 13, where s is egual to or larger than 1 and k 
is the predetermined threshold number. 

Fig. 4 shows a block diagram of the 
threshold distributed digital signature generation 
apparatus (third example) of the present invention. 
As shown in the figure, the distributed digital 
signature generation apparatus 1 includes a certain 
number of additional information combining parts 12 , 
a certain number of partial digital signature 
generation parts 13 and an integrated digital 
signature generation parts 14. 

Each of the additional information 
combining parts 12 (the additional information 
combining parts 12. i) generates v (i) items of 
additional information a(i,l),--,a(i,v(i)) for the 
input digital document M independently, where v (i) 
is a number equal to or larger than 1, and generates 
digital documents with additional information M || a 
(i,l),---,M||a(i,v(i)) which are generated by 
combining the additional information a (i , 1) , ••• , a (i , 
v (i) ) and the digital document M. The digital 
signature generation parts 13i (l^i^r) correspond 
to the additional information combining parts 12.1 , 

12. r respectively. Each of the digital 
signature generation parts (the digital signature 
generation part 13. i) generates pairs of the digital 
document with the additional information and the 
partial digital signature (M || a ( i , 1 ) , S, (M || a ( i , 1 ) ) ) , 

(M i| a (i, v (i) ) , S t (M || a (i, v (i) ) ) ) for the 
digital document with additional information 
generated by the corresponding additional 
information combining part 12 . i . 

The integrated digital signature 



generation part 14 selects m pairs of the digital 
document with additional information M || a(i,h(i)) 
and the partial digital signature (M' , S r(1) (M' )), 
■■■ , W ,S E(m) ,(M' )), where k^m^r and l^r (1) , ■•• , r (m) 
^r and m' e{M||a<r(i),l),---,M||a(r(i),v(i)))} (1^ 
i^m) are satisfied. In addition, the integrated 
digital signature generation part 14 selects s sets 
l lt -",l s S {r (1) , ••■ , r (m) } each consisting of 
identification numbers of k partial digital 
signature generation parts 13 and generates s 
integrated digital signatures S (M' , I x ),•••, S (m' , I s ), 
where k is the predetermined threshold number and s 
is equal to or larger than 1 . 

The additional information which is 
combined by the additional information combining 
part 12 can be identification information of the 
digital signature generation system, the term of 
validity of digital signature, the time of 
generating digital signature or combination of these. 
(Examples ) 

In the following, examples of the present 
invention will be described with reference to 
figures . 

In the following, an example of digital 
signature generation will be described by using 
Figs. 2, 3 and 4. In this example, RSA is used as an 
example of public-key cryptosystem . RSA is 
described, for example, in R.L. Rivest, A. Shamir, 
and L. Adleman "A method for obtaining digital 
signature and public key cryptosystems 
" Communications of ACM, Vo 1 . 2 1 , pp . 12 0- 12 6 , 1 9 7 8 . 

First, a preparation procedure between the 
partial digital signature generation parts for 
generating partial digital signatures will be 
described . 

It is assumed that N is a product of two 
prime numbers which are large enough, 0 (N) is the 



number of integers i which are relatively prime with 
N, where 0^i<N. Then, it is assumed that e is an 
integer which does not have a factor smaller than 
the number r of the partial digital signature 
5 generation parts 13 and which is relatively prime to 
<$> (N) . It is assumed that the pair of N and e (N,e) 
is the public key. 

A set of integers d 1; '",d r which satisfies 
e* (dj^ + '-d,.) =1 mod <t> (N) is generated by using a method 
10 proposed in D.Boneh et al . : Efficient generation of 
shared RSA key {extended abstract) , in "Proceedings 
Crypto'97 ( Springer , 1 9 9 7 ) , such that each partial 
digital signature generation part 13 (for each i=l , 
••• , r ) has d x . 

15 Here, d=(d : +---d r ) becomes the secret key 

corresponding to the public key (N,e). Each partial 
digital signature generation part 13i shown in 
Figs. 2, 3, 4 knows only d if and any other partial 
digital signature generation part 13 does not know 

20 it. In addition, the integrated digital signature 
generation part 14 does not know d. 

Each partial digital signature generation 
part 13i selects k integer coefficients a x0 = d L , 
a i,i ' "* ' a 1 ,k-i which are large enough, where k is the 

25 minimum number of partial signatures necessary for 
distributed signature generation, that is, k is the 
threshold, and a polynomial f 1 (x) is defined as 
fi(x) = a 10 + a lfl -x + ••• + a^n'x 1 " 1 (l^i^r). 

The partial digital signature generation 

30 part 13i calculates f x ( j ) for each integer j which 
satisfies l^j^sr and j i , and sends f t ( j ) to a 
partial digital signature generation part 13j , and 
calculates f x ( i) . 

The partial digital signature generation 

35 part 13i calculates the sum of f i (i) sent from the 
other partial digital signature generation parts 
(partial digital signature generation part 13 j ) ( j ¥= 



i and l^j^r) and f 1 (i) calculated by itself, and 
put the sum as D(i), that is, D(i) = £/,(0 . D(i) is 

called a partial signature key of the partial 
digital signature generation part 13i. 

Next, procedure for partial digital 
signature generation in each partial digital 
signature generation part 13 will be described. 

In the configuration shown in Figs . 2 and 3, 
each partial digital signature generation part 13i 
calculates S A (M) = H(M) D(1> mod N (l^i^r) for the 
input digital document M by using a proper hash 
function {for example, SHA-1 and MD5) whose range is 
included in { 0 , 1 , ••• , N-l } . S, (M) is defined as a 
partial digital signature for M. 

Each partial digital signature generation 
part 13i shown in Fig. 4 calculates S x (M || a ( i , j ) ) =H <M 
II a(i,j)) D(i> mod N for the digital document M || a 
(i,j) with additional information output from the 
additional information combining part 12, by using a 
proper hash function (for example, SHA-1 and MD5) 
whose range is included in { 0 , 1 , • •• , N- 1 } , and defines 
S x (M) as a partial digital signature for M || a { i , j ) 
(i^i^r) . 

Next, the procedure of the integrated 
digital signature generation in the integrated 
digital signature generation part 14 will be 
described . 

M is called a digital document to be 
signed of the partial digital signature S x (M) 
generated by the partial digital signature 
generation part 13i shown in Figs. 2 and 3. For the 
partial digital signature S 1 (M || a ( i , j ) ) generated by 
the partial digital signature generation part 13i 
shown in Fig. 4, the digital document with the 
additional information M || a ( i , j ) is called a 
digital document to be signed of the partial digital 
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signature . 

When assuming that 1 ^ r ( 1 ),•••, r ( k) ^ r and 
r(l),"-r(k) are different from each other, and 
S r(1) (M' ), s r(k) (M* ) is a set of threshold number 

5 of partial digital signatures such that the digital 
document to be signed coincides with m' for each 
partial digital signature, the procedure for 
generating the integrated digital signature S (M' ,1) 
on the basis of the partial digital signatures S r(1) 
10 (M' ) , ••• , S r(k! (M' ) by the integrated digital 

signature generation part 14 is as follows. Setting 

I={r (1) ,-,r (k) } , and X{I,i) = Yl for each i<=i, a 

jelj*i J ~ 1 

positive integer A (I) is selected such that A (I) 
and e are relatively prime and A (I) • A (I,i) becomes 

15 an integer for each iGl. In the following, A (I) 
will be called a transformation number of partial 
digital signatures for I. Although the 
transformation number can be chosen to be ((r-1) ! ) 2 
irrespective of I as proposed in the S.Miyazaki, 

20 K.Sakurai, M.Yung "On threshold RSA-signing with no 
dealer" in Proceedings of ICISC799, pp. 197-207, 
Springer, 1999, for example, it is possible to 
select a different number such that the time 
complexity for generating the integrated digital 

25 signature becomes small as described in the 
following . 

A (I , i) = A (I) - X (I , i) is calculated for 
each iGl. Then, transformation processing is 
performed on the partial digital signature by taking 
30 S rU) (M' ) to the power of A(I,i) mod N, and let 
T r(i) (M' ) be the result. That is, 

T r(i) (AT) = S rW (M') M/J) mod AT . 

Then, T r(1) (M' ),■■•, T r(k) (m' ) are multiplied 



and *K/) = [j~]X (0 (M , )J mod N is calculated. Since A (I) 

and e are relatively prime, integers a (I) and b(I) 
which satisfies A ( I ) • a ( I ) +e *b ( I ) =1 can be 
calculated by using the extended Euclidean algorithm. 
Then, by using a{I), b(I), w(I), 

S(M' ,I)=w(I) a(I) -H(M' ) b(]) mod N is 
calculated as the integrated digital signature for 
the digital document to be signed M' . 

Fig. 5 shows a flowchart showing the 
calculation procedure of the transformation number 
for the partial digital signatures which minimizes 
time complexity according to an example of the 
present invention. 

In the process for generating the 
integrated digital signature from the partial 
digital signature, it is necessary to select a 
transformation number A (I) for each set I={r(l), 
•••,r(k)} including the threshold number of the 
identification numbers of the partial digital 
signature generation parts 13 such that the positive 
integer A (I) and e are relatively prime and A (I) • X 
(I,i) becomes an integer for each iGl. As for the 
transformation number A (I), S. Miyazaki et al . "On 
threshold RSA-signing with no dealer" in Proceedings 
of ICISC'99, LNCS Vol.1787, pp. 197-207, Springer, 
1999 proposes (( r-1 )!) 2 irrespective of I, wherein r 
is the total number of the partial signature 
generation parts. Fig. 5 shows a procedure for 
calculating the transformation number which is 
optimum in the sense that the time complexity 
required for generating the integrated digital 
signature from the partial digital signatures 
becomes the smallest, according to the set I of the 
identification numbers of the partial digital 
signature generation parts 13. 



Assuming that the set 1= { r ( 1 ),••-, r { k) } of 
identification numbers of the threshold number of 
the partial digital signature generation parts 13 is 

given, 1(1, i) - Y[ ~—. is calculated for each iei in 

J ~ l 

step 41. 

Then, in step 42, X(I,i) is reduced for 
each iei, and an absolute value of the denominator 
of the result is represented as 8 (I,i) , that is, <5 

yd, i) 

(I,i) is determined such that 1(1, i) = , where 8 

8(1, i) 

(l,i)>0, and y (I,i) and 5 (I,i) are relatively 
prime . 

In step 43, the least common multiple A 
(I) of 8 (I,r(l) ),••*, 5 (I , r (K) ) is calculated. 

In this way, the transformation number A 
(I) of the partial digital signature for I is 
obtained. A (I) is optimum in the sense that the 
time complexity of generating the integrated digital 
signature from the partial digital signatures by 
using A (I) becomes the smallest. 

In S.Miyazaki et al. "On threshold RSA-signing with 
no dealer" in Proceedings of ICISC'99, LNCS Vol.1787, 
pp . 197--207 , Springer ,1999, it is proposed to use 
((r-D !) A 2 as A (I), with r being the total number 
of the partial digital signature parts. Compared 
with the method of using ( (r-1) !) 2 as A (I), it can 
be checked, by calculation, that the time complexity 
of generating the integrated digital signature from 
the partial digital signatures decreases to about 
1/6 times of that of the conventional method when 
the threshold k is from 3 to 10 and the number r of 
the partial signature generation parts 13 is from 5 
to 19 . 

Next, a procedure for judgment of the 
existence of an incorrect partial digital signature 
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will be described. 

Fig. 6 is a figure for explaining a method 
of detecting an incorrect partial digital signature 
by using combinations of the partial digital 
signatures according to an example of the present 
invention. Fig. 7 shows a flowchart showing a 
procedure of judgment of the existence of an 
incorrect partial digital signature by using 
combinations of the partial digital signatures 
according to an example of the present invention. 
Fig. 8 is a flowchart of a procedure for judging 
whether the number of the incorrect partial digital 
signatures is only one and for determining the 
incorrect partial digital signature. 

By using these figures, the procedure for 
judging the existence of an incorrect partial 
signature generated by an incorrect partial 
signature key and identifying the incorrect partial 
signature will be described, where the integrated 
digital signature generation part 14 performs the 
signature verification procedure by combining the 
threshold number of partial signatures in the 
threshold distributed digital signature generation 
apparatus shown in Figs . 2 , 3 and 4. 

Assuming that k is the threshold necessary 
for generating an integrated digital signature from 
a partial digital signatures, the integrated digital 
signature generation part 14 shown in Figs . 2 , 3 and 

4 can generate an integrated digital signature 

5 (M' ,1) from k partial digital signatures S r(1) (M' ), 

S r(k) (M' ) each of which is output from different 
partial signature generation part 13 and has the 
same digital document to be signed, where r(l), 
■••,r(k) are different from each other and lSr(l) , 
••-,r{k)^r, wherein m' is the digital document to be 
signed of S r(k) <M' ) and 1= { r ( 1 ),•••, r ( k) } . 

For various kinds of combinations each 
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including k partial digital signatures, the 
integrated digital signature generation part 14 
judges whether the generated S (M' ,1) is a proper 
signature of the digital document to be signed m' by 
5 verifying whether the decoding of S (M' , I) by using 
the public key (e, N) coincides with the hash value 
H(M' ) of the digital document to be signed. 
Thereby, it can be judged whether S (M' ,1) is a 
correct digital signature for the initially provided 
10 digital document. 

As described earlier in the configuration 
shown in Figs. 2 and 3, the digital document to be 
Q signed m' of the digital signature S (M' , I) is M 

: 'M which does not include the additional information. 

15 In the configuration shown in Fig. 4, the digital 
»P document to be signed m' of the digital signature 

S (M' ,1) is M || a which includes the additional 
Q information a . 

jj^ The digital document m' to be signed is 

!=fj 20 input to the integrated digital signature generation 

r;t part at the start, in the configuration of Fig. 2. 

I'll In the configuration of Figs. 3 and 4, the digital 

document m' to be signed is output to the integrated 
digital signature generation part 14 by the partial 
25 digital signature generation part 13i (l^i^r) 
shown in Figs . 3 and 4, with the partial digital 
signature Si^M' ) . 

In the following, a procedure for judging 
whether an incorrect partial signature exists in the 
30 set of partial digital signatures S r(1) (m' ) , 

"'' S r<m>( M ' ) whose digital document to be signed is 
M' and which are sent from the partial digital 
signature generation parts 13 shown in Figs. 2, 3 and 
4 will be described by using Fig. 7, wherein this 
35 procedure is applied when there are correct partial 
signatures whose number is at least k-1 with k being 
the threshold necessary for generating an integrated 
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signature. In this procedure, it is assumed that 
r ( 1 ),•", r (m) are different from each other and k+l^ 
mSsr. The reason that m is not assumed to be equal 
to r is that there is a possibility that a part of 
5 the partial digital signature generation parts 

operate incorrectly and do not send partial digital 
signatures . 

As shown in Fig. 6, m subsets 1(0) ,-",I(m- 
1) of { r ( 1 ),•--, r (m) } are selected such that each 
10 I(i) consisting of k elements and I ( i ) = { r ( ( j +1 ) mod 
m) +1 | 0 ^ j Ssm-l } (i = 0 , ••■ ,m-l) in step 61. 
sis The integrated digital signature 

3 S (M' ,I(i)) is generated from {S r (M' ) |rEi(i)} for 

J each l(i) (i=0 , ■•• ,m-l) in step 62. 

3 15 Then, it is tested whether the decoding 

S (M' ,1 (i) ) e mod N of the integrated digital 
signature by the public key (e, N) coincides with 
H(M' ) for each I ( i) ( i=0 , ••• , m-1 ) in step 63. 
- If it is verified that S (M' ,I(i)) e mod 

■ : 20 N=H(M' ) for every I (i) (i=0 , ••■ ,m-l) in step 63, it 

111 is judged that an incorrect partial signature doe 

not exist in S E(1 , (M' ) , ••■ , S r(m) {M' ) . There may be a 
possibility that there are more than one incorrect 
digital signatures in m partial digital signatures 
25 S r(1> (M' ),•••, S r(m) (M' ) and the incorrect digital 
signatures cancel their incorrect effects by, 
conspiring with each other so that the integrated 
digital signature S (M' ,I(i)) generated from S r 
(M' ) (rei(i)) for each I(i) (O^i^m-l) becomes a 
30 correct signature. However, it can be verified that 
such a case does not occur when k+l^=r^2'k-l and 3 
kSslO by a test using a computer. 

Next, a procedure is described for 
determining whether the number of the incorrect 
35 partial digital signatures is only one and 

identifying the only one incorrect partial digital 
signature . 
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According to a procedure shown in Fig. 8, 
when there are correct partial signatures whose 
number is at least the threshold k in m partial 
digital signatures S r(1) (M' ),"•, S r(m) (M' ), and, when 
5 it is judged that there is an incorrect digital 
signature in S c(1) (M' ),"-, S r(m) (M' ) by using the 
procedure shown in Fig. 7, it is judged whether the 
number of the incorrect partial digital signatures 
is only one, and the incorrect partial digital 
10 signature is determined when it is judged that the 
number of the incorrect partial digital signatures 
is only one. 

3 Step 71 determine the set F of i (OSsi^m- 

: 1) for which S (M' ,I(i)) e mod N=H <M' ) is not 

3 15 satisfied. This judgement is also performed in step 

TJ 63 in Fig. 7. Thus, this step can be performed 

H simultaneously when the procedure of Fig. 7 is 

= performed. 

In step 72, F(i) is determined to be {j|0 
II 20 ^j^m-1 and r(i) Gl(j) } for each i with 0^i^m-l. 

U In step 73, when there is i such that O^i 

Ssm-1 and F=F(i) is true, it is decided that the 
only incorrect partial signature is S r(i) (m' ) . 
Otherwise, it is judged that two or more than two 
25 incorrect partial signatures exist in S r(1) (M) , 
"•/S r(m) (M) . 

If there is any j (0^j^m-l) which 
satisfies F=F(j), the number of j is at most one. 

There may be a possibility that there is 
30 more than one incorrect digital signature in m 

partial digital signatures S r(1) (M' ),•••, S r(m) (m' ) and 
their incorrect digital signatures cancel incorrect 
effects by conspiring with each other so that F=F { i ) 
becomes true for an i (l^i^m) in step 74. However, 
35 it can be verified that such a case does not occur 
when k+l^r^2-k-l and 3^k^l0 by a test using a 
computer . 



ry 
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In the following, evaluation of time 
complexity of the above-mentioned procedures will be 
shown . 

In the following evaluation, it is assumed 
5 that k is the number of the partial digital 

signatures necessary for generating an integrated 
digital signature, that is, k is the threshold, r is 
the number of the partial digital signature 
generation parts, 3^k^l0, and r=2*k-l for each k. 
10 In the case that the length of the key is 

of 2048-bits, by using the number of multiplications 
mod N for evaluating the time complexity of judging 
whether there is any incorrect partial digital 
signature and of deciding whether the number of the 
15 incorrect partial digital signatures is only one and 
of identifying the only one partial digital 
^ signature, the time complexity becomes 0.12 times of 

the time complexity of generating a partial 
F|| signature when k = 3, the time complexity becomes 

.J 20 0.20 times of the time complexity of generating a 

partial signature when k = 4 , the time complexity 
fU becomes 0.32 times of the time complexity of 

generating a partial signature when k = 5, the time 
complexity becomes 0.49 times of the time complexity 
25 of generating a partial signature when k = 6, the 
time complexity becomes 0.75 times of the time 
complexity of generating a partial signature when k 
= 7, the time complexity becomes 1.0 times of the 
time complexity of generating a partial signature 
30 when k = 8, the time complexity becomes 1.5 times of 
the time complexity of generating a partial 
signature when k = 9, the time complexity becomes 
2.1 times of the time complexity of generating a 
partial signature when k = 10. 
35 In the conventional verification methods 

disclosed in T.Wu et al . "Building intrusion 
tolerant applications", in Proceedings of 8th USENIX 
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Security Symposium, USENIX, 1999 and in S.Miyazaki 
et al. "On threshold RSA-signing with no dealer" in 
Proceedings of ICISC ' 99, LNCS Vol. 1787, pp. 197- 
207 , Springer , 1999, time complexity is 4 times of 
5 that of generating partial signature since the 

partial digital signature generation part generates 
data for verifying validity of a partial signature 
in addition to the partial digital signature itself, 
sends the data to the integrated digital signature 
10 generation part and the integrated digital signature 
part verifies the validity of each partial digital 
signature. Therefore, in order to verify the 

Ct validity of each partial signature sent from each 

CI 

partial signature generation part, the time 
□ 15 complexity becomes egual to or larger than 20 times 

;; t! of time complexity of generating a partial signature 

£| when k = 3, the time complexity becomes egual to or 

« larger than 28 times of time complexity of 

;:"'} generating a partial signature when k = 4, the time 

20 complexity becomes egual to or larger than 36 times 
ill of time complexity of generating a partial signature 

r l': when k = 5, the time complexity becomes equal to or 

larger than 44 times of time complexity of 
generating a partial signature when k = 6, the time 
25 complexity becomes equal to or larger than 52 times 
of time complexity of generating a partial signature 
when k = 7 , the time complexity becomes equal to or 
larger than 60 times of time complexity of 
generating a partial signature when k = 8, the time 
30 complexity becomes equal to or larger than 68 times 
of time complexity of generating a partial signature 
when k = 9, the time complexity becomes equal to or 
larger than 76 times of time complexity of 
generating a partial siqnature when k = 10. 
35 When comparing the two evaluations of the 

time complexity, it can be understood that the 
verification method of the present invention for 



detecting incorrect partial signatures has the merit 
that the time complexity is small, for the above- 
mentioned key length, the number of thresholds, and 
the total number of partial digital signature parts. 

Next, a method using all available 
integrated digital signatures will be described. 

When the number of the partial digital 
signature generation parts is small, there is a case 
where incorrect partial signatures can be identified 
even when the number of the incorrect partial 
signatures is egual to or more than 2 by testing 

whether S(M\J(i)Y mod N = H(M) is satisfied for all 

subsets J ( 1 ) , ••• , J (K) consisting of k elements of 
{ r (1) , ••• , r (m) } for the set of digital signatures 
S r(1) (M' ), S r(m> (M' ) which are generated by the 

partial digital signature generation parts 
independently and whose digital document to be 
signed is the same, and by analyzing the 
correspondence between J(i) and the result of the 
test. Here, K is the total number of combinations 
for selecting k elements from m elements, that is, 
m! / (k ! • (m-k) ! ) . For example, when the threshold for 
generating the integrated digital signature is 3, 
the total number of the partial digital signature 
generation parts is 5 and 5 partial digital 
signatures whose digital documents to be signed 
coincide are collected, it can be checked that it 
can be determined which partial signatures are 
incorrect even when the number of the incorrect 
partial signatures is at most two by enumerating all 
cases . 

Next, a digitally signed digital document 
generation apparatus using combination of the 
threshold number of partial signatures will be 
described by using Figs . 9 and 10. 

Fig. 9 is a block diagram showing a 



-32- 



digitally signed digital document generation 
apparatus using combination of the threshold number 
of partial signatures (first example) according to 
an example of the present invention, Fig. 10 is a 
5 block diagram showing a digitally signed digital 
document generation apparatus using combination of 
the threshold number of partial signatures (second 
example) according to an example of the present 
invention . 

10 As shown in Figs . 9 and 10, the distributed 

digital signature generation apparatus 2 includes a 
certain number of partial digital signature 
generation parts 13 1 , ••■ r 13 r , an integrated digital 
signature generation part 14 and a digitally signed 
3 15 digital document generation part 15. 

j J} The partial digital signature generation 



parts 13 lr ••*,13 r generate partial digital signatures 
S 1 (M) , •■*, S r (M) for an input digital document M 
independently of each other. 

The integrated digital signature 
generation part 14 receives m partial digital 
signatures S r(1) <M) , •■■ , S r(m) (M) , (k^m^r and k^r(l), 
•••,r(m)2sr) which are generated by the certain 
number of partial digital signature generation parts 
13 and the digital document M . Then, the integrated 
digital signature generation part 14 generates a 
certain number of integrated digital signatures 
S (M, I I ) , ••• , S (M, l a ) from the output partial digital 
signatures for s sets I 1 ,---,I S each consisting of 
identification numbers of k partial digital 
signature generation parts 13, where s is equal to 
or larger than 1 and k is the predetermined 
threshold number. 

The digitally signed digital document 
generation part 15 generates a digital document with 
digital signature for an input digital document by 
combining the generated integrated digital signature 
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and the digital document. 

Next, an example in which additional 
information combining parts are provided to the 
configuration is shown in Figs . 9 and 10. Fig. 11 
5 shows a block diagram of the digitally signed 
digital document generation apparatus (third 
example) using combinations of threshold number of 
partial signatures according to an example of the 
present invention. 

10 As shown in the figure, the distributed 

digital signature generation apparatus 2 includes a 
certain number of additional information combining 
parts 12 x ,---,12 r , a certain number of partial 
digital signature generation parts 13, an integrated 

15 digital signature generation parts 14 and a 

digitally signed digital document generation part 15. 

Each of the additional information 
combining parts 12 (the additional information 
combining part 12. i) generates v (i) items of 

2 0 additional information a (i,l) , ••* , a (i, v (i)) for the 
input digital document M independently, where v (i) 
is a number equal to or larger than 1, and generates 
digital documents with additional information M |[ a 
(i,l) , ••• , M || a (i, v (i)) which are generated by 

25 combining the additional information a ( i , 1 ) , •■ ■ , a ( i , 
v (i)) and the digital document M. 

Each of the digital signature generation 
parts (the digital signature generation part 13. i) 
generates pairs of the digital document with the 

30 additional information and the partial digital 

signatures (M || a ( i , 1 ) , S, (M || a ( i , 1 ) ) ) , ■■• , (M||a(i,v 
(i) ) , S, (M || a (i, v (i) ) ) for the digital document 
with additional information. 

The integrated digital signature 

35 generation part 14 receives m pairs of the digital 

document with additional information and the partial 
digital signature (M' ,S r(1) (M' )),•••, (M' ,S r(m) (M' )) in 



which k^m^r and k^r(l) ,- ( r(m) are satisfied. 
Then, the integrated digital signature generation 
part 14 generates s integrated digital signatures 
S (M' , IJ , , S (M' , I 3 ) from the output partial digital 
5 signatures for s sets I 1 ,-*,I s each consisting of k 
identification numbers of the partial digital 
signature generation parts, where k is the 
predetermined threshold. 

The digitally signed digital document 
10 generation part 15 generates a digital document with 
digital signature T for an input digital document 
^ with additional information by combining the 

generated integrated digital signature and the 
J? digital document with additional information. 

Q 15 Although the above-mentioned examples are 

described on the basis of each configuration, the 
partial digital generation part, the integrated 
is digital signature generation part and the additional 

r-j information combining part in the distributed 

r|j 20 digital signature generation apparatus shown in 

= !l Figs. 2-4 can be realized by programs. These 

!fr! programs can be installed in a computer used as the 

distributed digital signature generation apparatus. 

In addition, the programs can be stored in 
25 a recording medium such as a hard disk, a floppy 

disk, CD-ROM and the like, and can be installed to 
the computer from the recording medium. 

In addition, the partial digital 
generation part, the integrated digital signature 
30 generation part, the additional information 

combining part and the digitally signed digital 
document generation part in the digital document 
with distributed digital signature generation 
apparatus shown in Figs. 10 and 11 can be realized by 
35 programs. These programs can be installed in a 

computer used as the distributed digital signature 
generation apparatus. 
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In addition, the programs can be stored in 
a recording medium such as a hard disk, a floppy 
disk, CD-ROM and the like, and can be installed to 
the computer from the recording medium. 
5 (Effect of the present invention) 

As mentioned above, according to the 
threshold type distributed digital signature 
generation apparatus of the present invention, since 
the trusted third party is not included, the single 

10 point of compromise which brings about leaking of 

secret key can be removed. Thus, the safety of the 
signature system whose most important part is the 
safety of secret key is improved. At the same time, 
since it is allowed to generate the digital 

15 signatures when only predetermined number of partial 
digital signature generation systems in a certain 
number of partial digital signature generation 
systems operate correctly, robustness against 
security attacks and fault tolerance in the digital 

20 signature system can be improved. Accordingly, a 
distributed digital signature generation system 
which is safe and has good robustness against 
security attacks and fault tolerance can be realized. 
Especially, according to the present 

25 invention, when the integrated digital signature is 
generated from the partial digital signatures, since 
the least common multiple of <5(I,r(l)),---,<5(I,r(K)) * 
is used instead of {(r-1)!) 2 as the transformation 
number A (I) in A ( I ) * X ( I , i ) , the time complexity of 

30 generating the integrated digital signature from the 
partial digital signatures can be decreased. 

In addition, in verification of the 
partial digital signatures, since the verification 
is performed by generating m integrated digital 

35 signatures by using m sets I ( 0 ) , ••■ , I (m-1 ) each 

including k partial digital signatures as shown in 
Fig. 6, the time complexity for the verification can 
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be decreased. 

In the following, the decreasing effect of 
the time complexity when the integrated digital 
signature is generated from the partial digital 
5 signatures and the decreasing effect of the time 
complexity of the verification of the partial 
digital signatures will be described. 

Fig. 12 shows the decreasing effect of the 
time complexity by optimization of the process in 
10 which the integrated digital signature is generated 
from the partial digital signatures. The number of 
multiplications mod N is used for evaluating the 
time complexity. The other method to be compared 
with is a method proposed in S. Miyazaki, K. Sakurai, 
15 M. Yung "On threshold RSA-signing with no dealer" in 
Proceedings of ICISC' 99, pp. 197-207, Springer, 1999 
in which ((n-l)!) 2 is used as the transformation 
number, wherein n is the total number of servers 
(which correspond to the partial digital signature 
20 generation parts in the above-mentioned examples) . 

In Fig. 12, k indicates the number of 
necessary servers for generating a signature, r 
indicates the total number of servers, A indicates 
the average bit-length of power exponents necessary 
25 for calculating w(I) (when A (I) is optimized), B 

indicates the average bit-length of power exponents 
necessary for calculating w(I) (when A(I) = ((r- 
1) !) 2 ) , and B/A indicates the decreasing ratio of 
te time complexity. 
30 Figs. 13 and 14 show the decreasing effect 

of the time complexity of verifying of partial 
signatures. Fig. 13 shows a case when bit length of 
the key is 1024 and Fig. 14 shows a case when bit 
length of the key is 2048. The other method to be 
35 compared with is a method proposed in Wu et al . 
"Building intrusion tolerant applications", in 
Proceedings of 8th USENIX, 1999. 



In Figs. 13 and 14, k indicates the number 
of necessary servers for generating a signature, r 
indicates the total number of servers, A indicates 
the number of multiplications of mod N necessary for 
signature verification for one group (shown in Fig. 6, 
which can be called a sliding group) , B indicates 
the number of multiplication of mod N necessary for 
signature verification for every group (including 
the overhead, evaluated as a number of 
multiplications mod N, of computing inverses mod N 
by using the extended Euclidean algorithm) , C 
indicates the number of multiplications mod N 
necessary for verification of one partial signature 
when using the conventional method of Wu et.al, D 
indicates the number of multiplications mod N 
necessary for verification of all partial signatures 
(=rXC) when using the conventional method of Wu 
et.al, D/B indicates the decreasing ratio of the 
time complexity =C/A. 

In the evaluations shown in Figs. 12-14, it 
is assumed that power operation is realized by 
repeating multiplication by using square-and- 
multiply, and that the power operation is realized 
by multiplications whose number is 1.5 times the bit 
length of the exponent in average. The square-and- 
multiply is commonly used as a method for realizing 
power operation efficiently. 

As shown in Fig. 12, according to the 
method of the present invention, the time complexity 
of generating the integrated digital signature from 
the partial digital signatures becomes about 1/6 
times of that of the conventional method. 

In addition, when the bit length of the 
key is 1024, as shown in Fig. 13, the time complexity 
of verifying the validity of all partial signatures 
is largely decreased to 1/85 when the number of the 
servers is 5, and to 1/18 when the number of the 



-38- m 

servers is 19. As shown in Fig. 14, when the bit 
length of the key is 2048, the effect of time 
complexity decreasing is doubled. In this 
evaluation, time complexity of computing inverses 
5 mod N by using the extended Euclidean algorithm 

which is included in the verification processing is 
evaluated on the basis of actual measurement by a 
program written in C implementing the extended 
Euclidean algorithm for computing inverses mod N. 

10 When the key length is 1024, the calculation is 

evaluated as 9.3 times a multiplication mod N, and, 
when the key length is 2048, the calculation is 
evaluated as 13 times a multiplication of mod N. 

According to the method which has been 

15 conventionally proposed, the time complexity of 

verifying validity of all partial signatures becomes 
much larger than that of generating the signatures. 
In the above-mentioned methods of Wu , the time 
complexity of verifying one partial signature is 

20 four times of that of generating the partial 

signature, and the whole time complexity is one 
multiplied by the number of servers. Therefore, 
when using the conventional method, it is not 
practical to verify the validity of all partial 

25 signatures every time when the signature is 

generated. For example, in the system proposed in 
the article of Wu , only when an incorrect integrated 
signature is detected, the verification of partial 
signatures used for generating the integrated 

30 signature is performed. 

When using the verification method of 
validity of partial signatures of the present 
invention, since the time complexity can be largely 
decreased as described above, a system which 

35 verifies the validity of all partial signatures 

every time when the signature is generated can be 
realized. 
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The present invention is not limited to 
the specifically disclosed embodiments , and 
variations and modifications may be made without 
departing from the scope of the invention. 
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